Azure Identity and Access (Entra ID)

Identity is the foundation of security in Azure. Microsoft Entra ID (formerly Azure Active Directory / Azure AD) is Azure's cloud-based identity and access management service. It controls who can sign in and what they can access.

---

What Is Microsoft Entra ID?

Entra ID is a cloud identity provider that handles:

• Authentication — verifying who you are (sign-in)
• Authorisation — determining what you're allowed to do
• Single sign-on (SSO) — one set of credentials for multiple applications
• Multi-factor authentication (MFA) — requiring a second form of verification
• Conditional access — enforcing policies based on user, device, location, and risk

Entra ID vs On-Premises Active Directory

Feature	On-Premises AD	Entra ID
Protocol	Kerberos, LDAP	OAuth 2.0, OpenID Connect, SAML
Structure	Organisational Units (OUs), Group Policy	Flat structure, Conditional Access
Location	Your data centre	Cloud-hosted by Microsoft
Integration	Windows domain-joined machines	SaaS apps, Azure resources, Microsoft 365

Many organisations use Entra Connect to synchronise on-premises AD with Entra ID, creating a hybrid identity environment.

---

Key Concepts

Tenant

An Entra ID tenant is a dedicated instance of the directory for your organisation. When you sign up for Azure, you automatically get a tenant. It represents your organisation and holds your users, groups, and app registrations.

Users

Users are identities that can sign in. There are two types:

• Cloud-only users — created directly in Entra ID
• Synced users — synchronised from on-premises AD via Entra Connect

Groups

Groups simplify access management. Instead of assigning permissions to individual users, assign them to a group:

Group Type	Description
Security group	Used to manage access to resources
Microsoft 365 group	Used for collaboration (shared mailbox, calendar, SharePoint)

Groups can have assigned or dynamic membership:

• Assigned — you manually add and remove members
• Dynamic — membership is determined by rules (e.g., all users in the "Engineering" department)

---

Azure Role-Based Access Control (RBAC)

Azure RBAC controls what users can do with Azure resources. It is built on three concepts:

1. Security Principal (Who)

The identity requesting access:

• User
• Group
• Service principal (application identity)
• Managed identity (Azure-managed application identity)

2. Role Definition (What)

A collection of permissions. Azure provides built-in roles:

Role	Permissions
Owner	Full access to all resources, including the ability to assign roles
Contributor	Create and manage all resources, but cannot assign roles
Reader	View resources only
User Access Administrator	Manage user access to resources